Insulin pumpBarnaby Jack, famous for getting ATMs to disgorge an avalanche of cash on stage at the Black Hat Briefings, says he has developed an attack that could be used to deliver a lethal dose of insulin to diabetics using the embedded pumps.

Jack, a security researcher at McAfee, demonstrated the hack at the Hacker Halted security conference in Miami on Tuesday. In it, he used a modified antenna and software to wirelessly attack and take control of implantable insulin pumps from the firm Medtronic. Jack demonstrated how such a pump could be commanded to release a fatal dose of insulin to a diabetic who relied on the pump.

The presentation builds on a similar hack, demonstrated at this year’s DEFCON hacking conference in which researcher Jerome Radcliffe — diagnosed with Diabetes 11 years ago — demonstrated how he could tweak the dosage levels on his pump remotely. Radcliffe’s hack required the attacker to know the unique numeric device number of the implantable pump she was attacking. Barnaby’s hack improves on that method, allowing an attacker to compromise any vulnerable device within 300 feet even without knowing its unique device ID.

The August hack at DEFCON prompted a response from federal lawmakers. Two senior members of the House Energy & Commerce Committee called for the Government Accountability Office (GAO) to perform a formal review of wireless medical devices like the pump to determine whether devices that are on the market are “safe, reliable and secure. “

Alas, the consensus among security researchers is that they are not. Jack points out that the Medtronic devices do not use encryption to protect wireless communications between the implanted device and the management software. That means that anyone listening on the proper frequency can intercept those communications and even manipulate the device remotely: tweaking the amount of insulin delivered by the pump, disabling it or restarting it.

In an exclusive interview with Threatpost in August, Kevin Fu, an Associate Professor of Computer Science at the University of Massachusetts, said that software vulnerabilities, including those that may be remotely exploitable, are increasingly common as implanted medical devices use wireless technology for management and diagnostic purposes. Along with Prof. Dina Katabi of MIT, Fu is looking into methods for jamming implantable medical devices (IMDs) to prevent them from being wirelessly tampered with.

Jack is a well respected security researcher with a flair for the dramatic. He famously induced an automated teller machine to spit out a cascade of cash at the Black Hat Briefings in 2010 to demonstrate weaknesses in the software that secures cash machines
In the case of the insulin pump, however, the potential downside is not economic, but existential.
Medtronic, which manufactures the pump attacked by Jack, said at the time of the BlackHat presentation that it takes the security of its devices seriously and will develop more security features as “technology evolves.” However, the company, maintains that the risk of deliberate or malicious manipulation of insulin pumps is extremely low. “To our knowledge, there has never been a single reported incident of a deliberate attack on an insulin pump user in more than 25 years of insulin pump use,” the company said.

Home page image via cogdogblog‘s Flickr photostream.

Categories: Cryptography, Malware, Vulnerabilities

Comments (2)

  1. Juan

    “To our knowledge, there has never been a single reported incident of a deliberate attack on an insulin pump user in more than 25 years of insulin pump use,” the company said.

    So, they are waiting for someone to die to address this issue?? Sadly, that’s the position that most companies take when facing security, but we are talking about people’s health here! And is funny that they say “in more than 25 years of insulin pump use”, for how long have they been selling WIRELESS pumps? And of course, there are easier ways to kill someone :p, but that doesn’t mean that this could never happen.

    Thank god, I don’t have any relatives with diabetes and I’m from Argentina, so I don’t even know if that particular brand is available here. But we shouldn’t wait for something to happen, if you know about anybody using this pumps, please let them know about this issue. Maybe if enough people complain….

  2. Doug

    My daughter has Type I diabetes and uses a pump from Medtronic. It would be interesting to find out if this hack also circumvented the remote control feature of the pump along with the audible alerts.

    You see, for the built-in remote control feature to control the delivery of the insulin it must first be turned on. After reading about the DEFCON hack earlier this year, I confirmed that this setting was turned off with her pump since we do not use the remote control feature.

    Additionally, any time the insulin delivery settings are altered/administered there is also an audible alert and an optional vibrate alert.

    There are other pumps on the market like the Omnipod which are almost entirely dependent on a PDA like device that wirelessly connects to the pump and it will be interesting to see this research expanded to other manufacturers too.

    That said security by obscurity will eventually fail, and Medtronic and others must do a better job about securing their devices. But there also needs to be a better understanding of what is actually going on in order to cut through the hype.

Comments are closed.